The Xiaomi POCO F1 gets Widevine L1 support in the latest MIUI beta

The POCOPHONE F1, or POCO F1 as its known in India, is one of the best smartphones from 2018 thanks to its affordability, flagship-tier hardware, acceptable camera quality, and custom development support. Unlike its closest competitors the OnePlus 6 and OnePlus 6T, however, the POCO F1 shipped from the factory without Widevine L1 certification. Our first introduction to Widevine DRM came about when we learned about its necessity to stream Netflix and Amazon Prime Video in HD quality. The controversy that arose after this revelation pushed OnePlus to offer users the chance to physically send in their devices to receive Widevine L1 certification. After POCO first announced that they would be bringing Widevine L1 support to the POCO F1, we assumed this meant that users would have to send their devices to Xiaomi. However, we’ve since learned that it’s actually possible to provision devices with Widevine L1 after they leave the factory, and as Xiaomi promised, the POCO F1 is finally getting an update with Widevine L1 certification in the latest MIUI 10 9.2.25 beta.

As you can see in the screenshot posted above using the DRM Info app, the Widevine CDM security level shows as L1. That means that, theoretically, it should now be possible for owners of the Xiaomi POCO F1 to stream DRM protected content from Netflix above 540p without having to use a hacked APK. Just because a device is Widevine L1 certified doesn’t mean video streaming services will automatically allow them to stream protected content, though. Service providers like Netflix can whitelist or blacklist devices based on their own desired parameters. In fact, a lot of video providers are reluctant to certify devices that have already launched. We haven’t yet confirmed which video providers now work in HD on the POCO F1, but we’ll update once we find out.

Update: A POCO CM confirmed to us that DRM content from HotStar and Amazon Prime Video are now supported. Netflix, unfortunately, has not yet certified the POCO F1 for streaming in HD.

How did Xiaomi update the POCO F1 with Widevine L1?

According to Google’s “get started” document for Widevine, the keybox “must be encrypted with a device-unique secret key” in the TrustZone. This keybox must either be installed “in the factory or delivered to the device using an approved secure delivery mechanism.” For the OnePlus 5 and OnePlus 5T, a OnePlus Community Manager stated that users had to physically send their devices to OnePlus so the provisioning could be done via an “authenticated PC” due to the “security processes involved with updating the devices.”

OnePlus’ statement matched the only Widevine-related documentation that we knew of at the time, so the community widely accepted that OTA provisioning wouldn’t be possible. Thus, for months we expected that Xiaomi would require users to send in their devices, but even that wouldn’t be possible because, according to Alvin Tse, Head of POCOPHONE Global, POCO’s BSP wasn’t pre-validated like OnePlus’ was so the service center route wouldn’t be possible for POCO. The BSP, or Board Support Package, is the set of software and tools provided by the vendor, in this case Qualcomm, to POCO to support a particular Android release on a particular chipset—in this case, the BSP they’re referring to is the one that supports the Android 8.1 Oreo release for the Qualcomm Snapdragon 845 mobile platform. (From what I hear, Qualcomm’s BSPs are already pre-validated with the Widevine implementation, so I’m not entirely sure what the case was with POCO.)

Regardless, it’s clear that Xiaomi wouldn’t be able to factory provision devices with the required device-unique secret key. That means their only option is to do it over OTA, which we long assumed wasn’t possible. On the contrary, OTA provisioning for Widevine L1 has been possible since at least the middle of 2017. Google made field provisioning via OTA possible with the introduction of the Provisioning 3.0 model, which “uses an OEM-generated device root of trust which may be installed by the OEM at the factory or Over The Air.” This certificate can then be used by Widevine to “provision devices with provider-specific DRM certificates.”

In order to OTA provision a device, the OEM needs the ability to issue a software update to the TEE (QSEE on Qualcomm devices.) I believe that most OEMs use Qualcomm’s default implementation of Widevine for QSEE, and if they want to update it, they would need to be provided the source code, which they may or may not have been provided by Qualcomm. Thus, without the source code, the OEM would need to wait for Qualcomm to update it. Whether that happened with Xiaomi I’m unaware, but regardless, it seems the company figured out how to bring Widevine L1 to the POCO F1. Now they just need to convince popular video providers to whitelist their devices.